When you have XenMobile XNC then it is possible to filter ActiveSync requests going thru the NetScaler.

It works as follows:

The NetScaler appliance sits between the client and the XNC and CAS servers.

All requests from the client devices go to the NetScaler appliance.

The NetScaler then sends a request to the XNC with the device details to retrieve information about the device, whether the device is a whitelisted one or a blacklisted one.

Based on the response from the XNC, the NetScaler either drops the connection from a blacklisted device or forwards the request from a whitelisted device to the backend server.

You need the following features on the NetScaler and configure this properly:

Load Balancing

SSL

HTTP Callout

Responder

Integrated Caching (IC)

This mean that you need NetScaler Enterprise + IC or NetScaler Platinum.

Integrated Caching is needed because of performance reasons. With IC it has the capability of storing the callout response from the XNC in the local cache. For subsequent requests from the same device, the NetScaler reuses the stored callout response to make decisions locally to either drop the connection or forward the request.

The process as mentioned above now on technical level:

First, an ActiveSync request is sent from the client to the NetScaler.

Then, the NetScaler sends a request to the XNC server for information on the client device details.

Then, the XNC server sends the response – allow or deny to the NetScaler.

If the request is allowed, NetScaler forwards it to the server. If the response is deny, NetScaler drops the request.

For a request that is allowed, the NetScaler send the server’s response to the client.

A few days ago Oracle released Java update 7u51. This update contains security updates which breaks the applet which is used to configure the NetScaler via the GUI. When you have installed the update and try to open the GUI you’ll get the following warning as shown in the screenshot below.